Information Security review

What is Security? (cont’d.)‏

The protection of information and its critical elements,

Introduction

Information security: a “well-informed sense of assurance that the information risks

CNSS Security Model

IITU - Information Security

Figure 1-6 The McCumber Cube
Desired goal,

Components of an Information System

Information system (IS) is entire set of

IITU - Information Security

Figure 1-10 SDLC Waterfall Methodology (life cycle)

Analysis

Documents from investigation phase are studied
Analysis of existing security policies or

Implementation

Security solutions are acquired, tested, implemented, and tested again
Personnel issues evaluated;

Summary

Information security is a “well-informed sense of assurance that the information

EVERYTHING NEEDS A BREAK.

Threats

Threat: an object, person, or other entity that represents a constant

IITU - Information Security

Table 2-1 Threats to Information Security4

Deliberate Software Attacks

Malicious software (malware) designed to damage, destroy, or deny

More about previous slide

Deliberate Software Attacks
Deliberate software attacks occur when an

Espionage or Trespass (cont’d.)‏

Expert hacker
Develops software scripts and program exploits
Usually a

Attacks

Attacks
Acts or actions that exploits vulnerability (i.e., an identified weakness) in

Attacks (cont’d.)‏

Types of attacks (cont’d.)
Back door: gaining access to system or

Attacks (cont’d.)‏

Types of attacks (cont’d.)
Denial-of-service (DoS): attacker sends large number of

Attacks (cont’d.)‏

Types of attacks (cont’d.)
Spoofing: technique used to gain unauthorized access;

Attacks (cont’d.)‏

Types of attacks (cont’d.)
Sniffers: program or device that monitors data

Attacks (cont’d.)‏

Types of attacks (cont’d.)
Social engineering: using social skills to convince

TAKE A DEEP BREATH

Information Security - IITU

Figure 4-1 Components of Risk Management

Risk Identification

Risk management involves identifying, classifying, and prioritizing an organization’s assets
A

Risk Assessment

Risk assessment evaluates the relative risk for each vulnerability
Assigns a

Information Security - IITU

Table 4-10 Risk Identification and Assessment Deliverables

Access Control

Access control: method by which systems determine whether and how

Identification

Identification: mechanism whereby an unverified entity that seeks access to a

Authentication

Authentication: the process of validating a supplicant’s purported identity
Authentication factors
Something a

Authorization

Authorization: the matching of an authenticated entity to a list of

TAKE A REST

Firewalls Processing Modes

Five processing modes by which firewalls can be categorized:
Packet

Information Security - IITU

Figure 6-6 Firewall Types and the OSI Model

Firewall Architectures (cont’d.)

Dual-homed host firewalls
Bastion host contains two network interface cards

Firewalls Processing Modes (cont’d.)

Application gateways
Frequently installed on a dedicated computer;

Virtual Private Networks (VPNs)

Private and secure network connection between systems; uses

Intrusion Detection and Prevention Systems (cont’d.)

Intrusion detection: consists of procedures and

Honeypots, Honeynets, and Padded Cell Systems

Honeypots: decoy systems designed to lure

Firewall Analysis Tools

Several tools automate remote discovery of firewall rules and

Scanning and Analysis Tools

Typically used to collect information that attacker would

Scanning and Analysis Tools (cont’d.)

Fingerprinting: systematic survey of all of target

Information Security - IITU

Figure 7-20 Biometric Recognition Characteristics

HAVE SOME REST

Cryptology: science of encryption; combines cryptography and cryptanalysis
Cryptography: process of making

Substitution Cipher

Substitute one value for another
Monoalphabetic substitution: uses only one alphabet
Polyalphabetic

Information Security - IITU

Table 8-2 The Vigenère Square

Cryptographic Algorithms

Often grouped into two broad categories, symmetric and asymmetric
Today’s popular

Symmetric Encryption (cont’d.)

Data Encryption Standard (DES): one of most popular symmetric

Asymmetric Encryption

Also known as public-key encryption
Uses two different but related keys
Either

Asymmetric Encryption

Also known as public-key encryption
Uses two different but related keys
Either

Symmetric Encryption (cont’d.)

Data Encryption Standard (DES): one of most popular symmetric

Symmetric Encryption

Uses same “secret key” to encipher and decipher message
Encryption methods

Securing Internet Communication with S-HTTP and SSL

Secure Socket Layer (SSL) protocol:

Securing e-mail with S/MIME, PEM, and PGP

Secure Multipurpose Internet Mail Extensions

Securing Web transactions with SET, SSL, and S-HTTP

Secure Electronic Transactions (SET):

Securing Wireless Networks with WEP and WPA

Wired Equivalent Privacy (WEP): early

Steganography

Process of hiding information
Has been in use for a long time
Most

DO YOU WANT A CUP OF COFFEE?!

Introduction

Physical security addresses design, implementation, and maintenance of countermeasures that protect

Uninterruptible power supply (UPS)

Uninterruptible power supply (UPS)
In case of power outage,

Heating, Ventilation, and Air Conditioning

Areas within heating, ventilation, and air conditioning

Physical Security Controls (cont’d.)

Electronic Monitoring
Records events where other types of physical

Summary

Threats to information security that are unique to physical security
Key physical

Introduction

SecSDLC implementation phase is accomplished through changing configuration and operation of

Developing the Project Plan

Creation of project plan can be done using

Information Security - IITU

Figure 10-2 The Bull’s-Eye Model

Positioning and Staffing the Security Function

The security function can be placed

Positioning and Staffing the Security Function

The security function can be placed

Information Security - IITU

Figure 11-2 Positions in Information Security

Staffing the Information Security Function (cont’d.)

Chief Information Security Officer (CISO or

Staffing the Information Security Function (cont’d.)

Security manager
Accountable for day-to-day operation of

Staffing the Information Security Function (cont’d.)

Security technician
Technically qualified individuals tasked to

IT MIGHT BE A BAD DAY, NOT A BAD LIFE

The Security Maintenance Model

Designed to focus organizational effort on maintaining systems
Recommended

Information Security - IITU

Figure 12-10 The Maintenance Model

Monitoring the External Environment

Objective to provide early awareness of new threats,

Monitoring the Internal Environment

Maintain informed awareness of state of organization’s networks,

Planning and Risk Assessment

Primary objective is to keep lookout over entire

Vulnerability Assessment and Remediation

Primary goal: identification of specific, documented vulnerabilities and

Information Security - IITU

Figure 12-15 Vulnerability Assessment and Remediation

Definitions

Policy: course of action used by organization to convey instructions from

Information Security - IITU

Figure 5-1 Policies, Standards, and Practices

The ISO 27000 Series

One of the most widely referenced and often

Information Security - IITU

Figure 5-8 Spheres of Security

Design of Security Architecture (cont’d.)

Firewall: device that selectively discriminates against information

Continuity Strategies

Incident response plans (IRPs); disaster recovery plans (DRPs); business continuity

Information Security - IITU

Figure 5-14 Components of Contingency Planning

Information Security - IITU

Figure 5-15 Contingency Planning Timeline

Information Security - IITU

Figure 5-16 Major Steps in Contingency Planning